Internet DRAFT - draft-hmntsharma-bmp-tcp-ao

draft-hmntsharma-bmp-tcp-ao







GROW                                                           H. Sharma
Internet-Draft                                                  Vodafone
Intended status: Informational                          10 February 2024
Expires: 13 August 2024


          TCP-AO Protection for BGP Monitoring Protocol (BMP)
                     draft-hmntsharma-bmp-tcp-ao-02

Abstract

   This document outlines the utilization of the Transmission Control
   Protocol - Authentication Option (TCP-AO), as prescribed in RFC5925,
   for the authentication of Border Gateway Protocol Monitoring Protocol
   (BMP) sessions, as specified in RFC7854.  The intent is to heighten
   security within the underlying Transmission Control Protocol (TCP)
   transport layer, ensuring the authentication of BMP sessions
   established between routers and BMP stations.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/hmntsharma/draft-hmntsharma-bmp-tcp-ao.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 13 August 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.




Sharma                   Expires 13 August 2024                 [Page 1]

Internet-Draft  TCP-AO Protection for BGP Monitoring Pro   February 2024


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  TCP-AO Protection for BGP Monitoring Protocol (BMP) . . . . .   2
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   5.  Informative References  . . . . . . . . . . . . . . . . . . .   3
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   3
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   3

1.  Introduction

   The BGP Monitoring Protocol (BMP), as specified in RFC7854, advocates
   for the implementation of Internet Protocol Security (IPSec) from
   RFC4303 to address security issues concerning the BMP session between
   routers and the BMP station managing BGP route collection.  This
   document underscores the use of Transmission Control Protocol -
   Authentication Option (TCP-AO) as the authentication mechanism
   ensuring end-to-end authentication of BMP sessions between the
   routers and the BMP stations.  TCP-AO is also the choice of
   authentication for TCP-based network protocols such as BGP and LDP.
   A comprehensive discussion of TCP-AO is provided in RFC5925.

2.  TCP-AO Protection for BGP Monitoring Protocol (BMP)

   The BGP Monitoring Protocol (BMP) outlined in RFC7854 plays a crucial
   role in network management by allowing routers to share information
   about their BGP tables, helping operators monitor and troubleshoot
   their networks effectively.  However, the security considerations
   associated with BMP have become increasingly critical in light of
   evolving cyber threats.  This document proposes that these concerns
   be addressed by introducing a framework that utilizes the
   Transmission Control Protocol - Authentication Option (TCP-AO),
   specified in RFC5925, to safeguard BMP sessions.

   Extending this security measure to BMP helps mitigate risks
   associated with unauthorized access, tampering, and other potential
   security vulnerabilities.  By integrating TCP-AO into BMP
   implementations, network operators can establish a more resilient and
   trustworthy foundation for BGP monitoring activities.





Sharma                   Expires 13 August 2024                 [Page 2]

Internet-Draft  TCP-AO Protection for BGP Monitoring Pro   February 2024


   TCP-AO is not intended as a direct substitute for IPSec, nor is it
   suggested as such in this document.

   As outlined in section "3.2.  Connection Establishment and
   Termination" of RFC 7854, BMP operates as a unidirectional protocol,
   meaning no messages are transmitted from the monitoring station to
   the monitored router.  Consequently, BMP lacks an effective means of
   tracking a session between the router and the station.  It relies on
   the underlying TCP session, supported by TCP keepalives (RFC1122), to
   maintain session activity.  Therefore, it is recommended to
   authenticate the end-to-end TCP session between the router and the
   BMP station using TCP-AO.

3.  Security Considerations

   The security of the BMP session gets a boost with TCP-AO, seamlessly
   implemented over the existing TCP transport, ensuring heightened
   protection without any additional load.

4.  IANA Considerations

   This document has no IANA actions.

5.  Informative References

   [RFC5925]  Touch, J., Mankin, A., and R. Bonica, "The TCP
              Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
              June 2010, <https://www.rfc-editor.org/rfc/rfc5925>.

   [RFC7854]  Scudder, J., Ed., Fernando, R., and S. Stuart, "BGP
              Monitoring Protocol (BMP)", RFC 7854,
              DOI 10.17487/RFC7854, June 2016,
              <https://www.rfc-editor.org/rfc/rfc7854>.

Acknowledgments

   This document is an outcome of the experiences gained through
   implementing BMP.  While TCP-AO safeguards other TCP protocols, BMP
   lacks the same level of protection within this context.

Author's Address

   Hemant Sharma
   Vodafone
   Email: hemant.sharma@vodafone.com






Sharma                   Expires 13 August 2024                 [Page 3]